[FIX] Bump Authlib 1.2.1 -> 1.6.12 & PyMySQL 1.1.0 -> 1.1.1 (clear critical Dependabot alerts) #2041
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -39,7 +39,7 @@ dependencies = [ | |
| "snowflake-connector-python[pandas]~=4.6.0", # For Snowflake | ||
| "google-cloud-bigquery==3.11.4", # For Bigquery | ||
| "pymssql==2.3.4", # For MSSQL | ||
| "PyMySQL==1.1.1", # For MySQL | ||
|
Contributor
There was a problem hiding this comment. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Description: Verify PyMySQL version 1.1.1 is current and secure
# Check PyPI for the latest PyMySQL version
echo "=== Latest PyMySQL version on PyPI ==="
curl -s https://pypi.org/pypi/pymysql/json | jq -r '.info.version'
# Check for security advisories using GitHub CLI
echo -e "\n=== Security advisories for PyMySQL ==="
gh api graphql -f query='
{
securityVulnerabilities(first: 10, ecosystem: PIP, package: "pymysql") {
nodes {
advisory {
summary
severity
publishedAt
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}'Repository: Zipstack/unstract Length of output: 1986 🌐 Web query:
💡 Result: As of June 11, 2026, the latest version of PyMySQL on PyPI is 1.2.0, which was released on May 19, 2026 [1][2][3]. PyMySQL 1.1.1 was released on May 21, 2024 [4][5]. It is a historical version that included a fix for a security vulnerability (CVE-2024-36039), which addressed a potential SQL injection issue related to dict parameters in Citations:
🌐 Web query:
💡 Result: The primary security advisory for PyMySQL is CVE-2024-36039, which is documented in the GitHub Advisory Database as GHSA-v9hf-5j83-6xpp [1][2]. Affected Versions All versions of PyMySQL up to and including 1.1.0 are affected by this vulnerability [3][2]. Patched Version The vulnerability was resolved in version 1.1.1 [4][5]. Users are strongly recommended to upgrade to version 1.1.1 or later to mitigate this risk [6][5]. Vulnerability Details The issue is an SQL injection vulnerability (CWE-89) [3][2]. It occurs because the library's escape_dict function does not properly escape dictionary keys when processing untrusted JSON input, potentially allowing an attacker to execute arbitrary SQL commands [2][7]. In version 1.1.1, the maintainers addressed this by prohibiting the use of dictionary parameters in the Cursor.execute method, as this usage pattern did not produce valid SQL and introduced the injection risk [6][4][5]. If an immediate upgrade is not possible, maintainers recommend ensuring that any input from untrusted sources is strictly validated to have the expected type, as dictionary inputs are the primary attack vector [6][8][5]. Citations:
Update PyMySQL pin: 1.1.1 is patched but not latest (as of 2026-06-11).
🤖 Prompt for AI Agents |
||
| "oracledb==2.4.0", # For OracleDB | ||
| "fsspec[sftp]~=2024.10.0", # For SFTP | ||
| ] | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🌐 Web query:
Authlib changelog breaking changes from version 1.2.1 to 1.6.12 migration guide💡 Result:
Authlib changelog “breaking changes” from 1.2.1 to 1.6.12 (migration guidance): 1) Versions 1.2.1 (2023-06-25): remove/behavior changes you may need to account for - Removed has_client_secret method and its documentation. [1][2] - Removed request_invalid and token_revoked remaining occurrences and documentation. [1][2] - ClientSecretJWT.sign now applies headers (via PR
#552), which can affect how client secrets are signed. [1][2] - authorize_redirect fix for Starlette v0.26.0. [1][2] - grant uri params: “Allow falsy but non-None grant uri params” (PR#544) may change validation logic around grant URI parameters. [1][2] - Fixed RFC7591 grant_types and response_types default values. [1][2] 2) Authlib 1.6.x line: additional breaking changes called out in the changelog - Authlib 1.6.0 page exists and indicates there are “Breaking changes” sections between 1.x releases; use the changelog view to extract the specific items for the versions you are skipping. [3] - In the repo changelog file, Authlib 1.6.9 shows breaking changes including: a) Support for acr and amr claims in id_token, requiring a migration in OAuth2AuthorizationCodeMixin to support new fields. [4] b) Stop support for Python 3.8. [4] c) Raise InvalidGrantError for invalid code, redirect_uri and no user errors in OAuth 2.0 server (i.e., changed error behavior). [4] d) authlib.jose.jwt only works with JWS algorithms by default; to use JWT with JWE algorithms you must pass an algorithms parameter (example shown in changelog). [4] 3) 1.6.12 (2026-05-04): last-mile change in your target range - v1.6.12 fixes redirecting to an unvalidated redirect_uri on InvalidScopeError in OpenIDImplicitGrant and OpenIDHybridGrant. [5] 4) Most important “migration guide” aspect in this range: prepare for the jose -> joserfc migration Authlib’s upgrade material for the broader 1.x -> 2.0 transition highlights a major module migration: - There is an explicit “Upgrade Guide: joserfc migration.” link on the Authlib upgrades changelog pages. [6] - Authlib notes it will remove the authlib.jose module in 2.0.0, and to use joserfc instead (migration PR message). [7] Practical migration approach (how to apply the above): - Start by searching the Authlib stable changelog between exactly the versions you skip (1.2.1 -> 1.6.12) and copy the “Breaking changes” bullet points for each intermediate release that you’re not already on. The official changelog provides a full list of changes “between each Authlib release.” [1] - Specifically review for removed APIs: has_client_secret, and request_invalid/token_revoked documentation/occurrences. [1][2] - Specifically review for behavior changes around OAuth error handling and validation: InvalidGrantError changes and redirect_uri handling in 1.6.12. [4][5] - If you rely on id_token customization: ensure OAuth2AuthorizationCodeMixin migration for acr/amr support (1.6.9 breaking change). [4] - If your deployment still targets Python 3.8, this must change (1.6.9 breaking change). [4] - If you use authlib.jose JWT/JWE: pass algorithms explicitly to use JWE algorithms (1.6.9 breaking change). [4] - Plan for jose -> joserfc migration even though it’s not necessarily “breaking” for 1.6.12 itself; the project is actively documenting and moving away from authlib.jose. [6][7] If you want, paste your stack (OAuth2 vs OIDC, client vs server, frameworks, and which classes you use), and I’ll map the above breaking bullets to the most likely code changes in your app.Citations:
Authlib 1.6.12 upgrade: changelog shows auth/OIDC/JWT breaking/behavior changes
Even though the security fix is important, the jump from Authlib 1.2.1 → 1.6.12 crosses multiple “breaking changes” in the 1.2.x–1.6.x line. Key items to validate for your auth plugins:
has_client_secret;request_invalid/token_revokedremnants;ClientSecretJWT.signbehavior now applies headersInvalidGrantErrorhandling changes; 1.6.12 redirect_uri validation fix onInvalidScopeErrorinOpenIDImplicitGrant/OpenIDHybridGrantacr/amrsupport inid_token(may requireOAuth2AuthorizationCodeMixinmigration if you customize)authlib.jose.jwtalgorithm handling changes (JWE may require passingalgorithms)authlib.jose→joserfcmigration pathRun/confirm integration coverage for the specific auth/OIDC/JWT codepaths in this backend (redirect_uri handling, token/authorization flows, and any client secret/JWT/JWE logic) before relying on the change.
🤖 Prompt for AI Agents